Pentagon announces new reciprocity guidelines to streamline software adaptation

Networks / Cyber, Pentagon

DoD CIO Participates in Virtual Cybersecurity Forum

John Sherman, then acting chief information officer of the Department of Defense, participates in a virtual panel with Billington Cybersecurity at the Pentagon, April 15, 2021 (DoD photo by Chad J. McNeeley)

GEOINT — The Pentagon has rolled out new cybersecurity guidelines, aiming to address what Chief Information Officer John Sherman called slow, duplicative processes that hinder technology and software innovation.vation.

The plan, according to a one-page document signed by Deputy Defense Secretary Kathleen Hicks last week and releasedAs stated on Wednesday, the goal is to apply the concept of “reciprocity”, which essentially means that if one office certifies that a system is cyber-secure, then all offices can accept it instead of having to redo the certification process.

Sherman announced the new guidance during a speech at the annual GEOINT symposium in Orlando, Fla., on Wednesday, telling the crowd: “Immediately after we finish speaking, we are about to issue new guidance that Secretary deputy has signed and which will be direct reciprocity by default within the Ministry of Defense.

Sherman explained that the move will ensure “that people don’t have to check each other’s homework over and over again” unless a manager has “good reason” to recheck.

“We’re going to adopt reciprocity by default and start blasting through that,” he added.

The move comes after a host of complaints from within the department and industry leaders surfaced regarding Authorization to Treat (ATO) procedures. ATO procedures have been seen as a problem because they are not only slow and bureaucratic, but they can also be redundant as different organizations often each have their own Authorizing Officer (AO) who must assign an ATO to software before it can be released. it can be used. implemented.

AOs often have different criteria, so the software company going through this process has to operate a little differently each time, slowing down the process when the neighboring office may have already been cleared to use the same software.

“We have heard you loud and clear on this within the DoD. I’m not going to say it’s going to solve all the problems, but it’s going to help us a little bit,” Sherman said.

Although Sherman made it clear that this initiative was intended to reduce time, he stressed that the process may be more complicated and require another step, for which he said his office was prepared to assist.

“There is going to be a second major aspect to this. This will be the case, if an authorized official feels that they are being impeded in any way, they can report this directly to my office in conjunction with our Information Security Officer,” he said. Sherman said.

In addition to saving time, reciprocity also saves money because it allows federal entities to reuse internal and external findings from other organizations, reducing investment costs associated with approval computer systems operating on different networks.

“This is coming from the assistant secretary that reciprocity should be a default. That should be the first choice rather than having to redo all the due diligence,” Sherman said. DefenseScoop in an interview Wednesday.

The guidance released on Wednesday, officially titled ““Addressing Cybersecurity Risk Management Framework and Reciprocity Issues” states that the “Department is implementing the Risk Management Framework (RMF), in accordance with DoD Instruction 8510.01, to guide how we build, implement and maintain cybersecurity and survivability capabilities.”

While the RMF provides guidance for the Pentagon, the CIO also plans to provide similar guidance to the broader intelligence community, Sherman told DefenseScoop.

“That’s sort of our next hill to climb later, because of the different classifications and the fact that these evidence sets are kept secret or top secret, versus unclassified databases, etc.,” a- he declared to the media.

Theresa Hitchens in Orlando contributed to this report.